You don't have to be a big company — such as Yahoo, MySpace, TalkTalk or LinkedIn — to experience a big data breach. Small and medium-sized companies are also at risk.

“Attackers know that SMEs have less money and fewer resources to spend on IT, says Alan Calder, CEO of IT Governance, a global provider of IT governance, risk management and compliance solutions. “By targeting them they can get relatively easy access to the SMEs’ own assets and those of their customers.”

All organisations should tighten up three areas where they are most vulnerable: their people,their processes and their technology. “You can switch on a firewall and protect yourself with anti-malware, but that's only one part of the security story,” says Calder. “Attackers will also target individual employees because they can be fooled into giving up passwords and clicking on links; and they will exploit a company's poor processes, such as being allowed into the CEO's office on the pretext of delivering a parcel. Once they're inside, they can put a USB stick into a workstation and upload or download whatever they want.”


Protecting your business


Two years ago, the government launched an affordable cyber protection scheme called Cyber Essentials — a set of basic controls that could prevent around 80 per cent of common cyber attacks. Certification is awarded on the basis of a verified self-assessment.

“Cyber Essentials is an inexpensive way to get and demonstrate IT security compliance,” says Calder. “More complex organisations should attain certification to ISO 27001, which deals with information security management. A number of governments around the world require organisations to be ISO 27001 compliant before they are awarded contracts; and it's increasingly required of large organisations’ suppliers too.”

There's another reason that security is such an important area for any business. In May 2018, the new EU General Data Protection Regulation (GDPR) will apply. This new law will require organisations to have systems and processes in place to protect the personal data of EU residents.

“Critically, it will give citizens the right to bring legal action against organisations that mistreat their data, and to be awarded damages that have no ceiling,” says Calder. “Administrative fines can also be levied, equivalent to 20 million Euros or 4 per cent of global turnover. It's worth emphasising that the GDPR applies to EU residents' data wherever it is processed, so organisations will need to comply with the law irrespective of where they are based. Brexit won't exempt organisations that operate only in the UK, either — according to the Information Commissioner, the GDPR will very likely apply before we leave the EU."